A hospital in Texas released three years of a patient's psychotherapy notes to an employer — based on a form the patient had signed in a waiting room without reading. The form didn't specify the type of information being disclosed. It didn't name the recipient. And it didn't include an expiration date. That single piece of paper triggered a federal investigation, a six-figure settlement, and a compliance overhaul that took eighteen months to finish.
The authorization of release of health information is one of the most frequently botched documents in healthcare. It looks simple. It's anything but. If your organization handles PHI — whether you're a covered entity, a business associate, or a hybrid — getting this wrong exposes you to OCR enforcement actions, lawsuits, and the kind of headlines nobody wants.
This post breaks down exactly what makes an authorization valid, when you need one, when you don't, and the real penalties organizations have paid for getting it wrong.
What Is an Authorization of Release of Health Information?
Under the HIPAA Privacy Rule, an authorization is a written document that gives a covered entity permission to use or disclose a patient's protected health information for purposes that aren't otherwise permitted by the rule. Think of it as the patient's explicit, informed "yes" — documented in a way that meets very specific federal requirements.
This isn't a consent form. HIPAA draws a hard line between consent (which is optional and general) and authorization (which is required for specific disclosures and must contain particular elements). Mixing these up is one of the most common compliance failures I've seen in twenty years of consulting.
Authorization vs. Consent: The Distinction That Trips Up Most Practices
Consent is broad. It might cover treatment, payment, and healthcare operations. Authorization is narrow and purpose-specific. Under 45 CFR § 164.508, a valid authorization of release of health information must stand on its own. It can't be buried inside a consent-to-treat form or hidden in a stack of intake paperwork.
I've audited practices where the "authorization" was a single checkbox at the bottom of page four. That doesn't hold up. OCR expects a standalone document with clear, specific elements.
The Six Required Elements OCR Actually Looks For
The Privacy Rule at 45 CFR § 164.508 spells out what every valid authorization must include. Miss even one, and the entire document is defective — meaning any disclosure you made based on it was unauthorized.
- A specific description of the PHI to be disclosed. "Medical records" is too vague. You need to identify the type of information: lab results, medication history, mental health records, etc.
- The name or specific identification of the person or entity authorized to make the disclosure. Usually the covered entity holding the records.
- The name or specific identification of the person or entity to whom the disclosure will be made. "My attorney" isn't enough. Name the law firm, the insurer, the specific individual.
- A description of the purpose of the disclosure. "At the request of the individual" is acceptable if the patient initiates it, but for other situations, you need specificity.
- An expiration date or event. Open-ended authorizations are invalid. The form must state when the permission ends.
- The individual's signature and date. If a personal representative signs, documentation of their authority is required.
On top of these core elements, the authorization must include three required statements: the right to revoke, the potential for re-disclosure, and the ability (or inability) to condition treatment or benefits on signing. Leave out any of these, and you have a defective authorization.
When You Need an Authorization — and When You Don't
This is where I see the most confusion during audits. HIPAA permits many disclosures without an authorization. Treatment, payment, and healthcare operations don't require one. Neither do disclosures required by law, public health activities, or certain law enforcement requests.
Situations That Always Require a Valid Authorization
- Releasing psychotherapy notes (with very limited exceptions)
- Using PHI for marketing purposes
- Selling PHI
- Disclosing PHI to an employer for employment decisions
- Sharing records with a life insurance company
- Any disclosure that doesn't fall under a Privacy Rule exception
The psychotherapy notes category is especially strict. Under the Privacy Rule, these notes get a higher level of protection than standard medical records. Even a court order doesn't automatically override the authorization requirement for psychotherapy notes.
The "Treatment, Payment, and Operations" Exception Isn't a Blank Check
I've seen providers assume that because they can share PHI for treatment without authorization, they can share anything with anyone involved in care. That's not how it works. The minimum necessary standard still applies to most disclosures. You share only what's needed, with only who needs it.
The $1.5 Million Mistake: When Authorizations Go Wrong
In 2018, the HHS Office for Civil Rights settled with Filefax, Inc. for $100,000 after the company left medical records — including PHI that had been released based on defective authorizations — accessible in an unlocked vehicle. The broader lesson from OCR's enforcement history is clear: defective authorizations don't just create paperwork problems. They create liability.
In a separate case, Cignet Health faced a $4.3 million civil money penalty — the first ever issued by OCR — partly for failing to provide patients with access to their own records. While that case centered on the right of access rather than authorization specifically, it demonstrated OCR's willingness to impose massive penalties when organizations mishandle the fundamental rights patients have over their own health information.
Your organization can't afford to treat authorizations as administrative afterthoughts. Every form needs legal review. Every staff member who handles these documents needs to know the six elements cold.
How to Build an Authorization Form That Actually Holds Up
Start with the federal requirements, then layer on your state's rules. Many states impose stricter requirements — especially for substance use disorder records (governed by 42 CFR Part 2), HIV/AIDS information, and mental health records.
Practical Steps for Your Compliance Team
- Use plain language. A patient who doesn't understand what they're signing hasn't given valid authorization. Write at an eighth-grade reading level.
- Make the form standalone. Don't combine it with consent forms, NPP acknowledgments, or intake paperwork.
- Train your front desk staff. They're the ones handing these forms to patients. They need to explain — not just distribute.
- Set a reasonable expiration. "One year from date of signature" is common. "Until revoked" is not valid in many states.
- Track revocations. When a patient revokes an authorization, your systems need to stop the disclosure immediately. Document the revocation and timestamp it.
If your workforce hasn't been trained on what makes an authorization valid, you're operating on borrowed time. Our HIPAA training catalog includes modules that walk your staff through real-world authorization scenarios — the kind OCR investigators actually ask about.
What Happens When a Patient Revokes an Authorization?
A patient can revoke an authorization of release of health information at any time, in writing. Once you receive that revocation, you must stop all future disclosures based on that authorization. You are not required to claw back information already disclosed in good faith before the revocation.
The tricky part is operational. Does your EHR flag revoked authorizations? Does your release-of-information team get notified in real time? In my experience, this is where most organizations fall apart. They have a policy that says "we honor revocations" but no workflow that actually makes it happen.
State Laws That Override — or Stack On Top of — HIPAA
HIPAA sets the floor, not the ceiling. If your state has stricter authorization requirements, you follow the state law. California, for instance, requires specific authorization language for disclosures of mental health, HIV, and genetic information. Texas has its own medical privacy act with additional requirements.
This means your authorization form can't be a one-size-fits-all template downloaded from the internet. It needs to reflect both federal and state requirements. If your organization operates across state lines — telemedicine providers, multi-state health systems — you may need multiple versions of your authorization form.
Workforce Training: The Control That Makes Everything Else Work
Every element I've described — the six required components, the revocation process, the state law overlays — depends on your people knowing what to do. The Privacy Rule at 45 CFR § 164.530(b) requires covered entities to train all workforce members on policies and procedures related to PHI.
That includes the person at the front desk who hands the form to the patient. The medical records clerk who processes release requests. The nurse who gets a phone call from an attorney asking for records. Everyone.
If you're looking for a structured approach to workforce training that covers authorizations, breach notification, and the full scope of the Privacy and Security Rules, explore the HIPAA compliance training programs at HIPAACertify. The modules are built around the exact scenarios OCR investigates — not abstract theory.
Quick-Reference Checklist for Valid Authorizations
- Specific description of PHI to be released
- Named person/entity making the disclosure
- Named person/entity receiving the disclosure
- Purpose of the disclosure
- Expiration date or expiration event
- Individual's signature and date
- Statement about right to revoke
- Statement about re-disclosure risks
- Statement about conditioning treatment/benefits
- State-specific requirements addressed
Print this. Tape it next to every workstation where authorizations are processed. I've seen this single step cut defective authorization rates by more than half in practices I've worked with.
The Bottom Line on Getting Authorizations Right
The authorization of release of health information isn't just a form — it's a legal instrument that protects both the patient and your organization. Every defective authorization is an unauthorized disclosure waiting to become an OCR complaint. Every untrained staff member is a risk factor you can control.
Get the form right. Train your people. Track your revocations. And when you're not sure whether a disclosure requires an authorization, default to getting one. The cost of an unnecessary authorization is zero. The cost of a missing one can be catastrophic.